Kamesh Jayachandran wrote: > Yes done, find the dump at http://www.livecipher.com/tlsext_dump/tlsext.dmp.2
Ok, thanks. So, for the sake of reference, your setup for this capture
was:
- (Windows) client with OpenSSL 0.9.8k, compiled with defaults
- server with OpenSSL 0.9.8j, compiled with defaults
- httpd 2.2.14, w/o the OP_NO_TICKET patch
Is that correct?
I have extracted the two Hello messages into a separate pcap file (attached).
It's the ServerHello in the second packet to which the client then immediately
replies to with SSL_AD_DECODE_ERROR. I'm also attaching Wireshark's
interpretation of the bytes in question, followed by their hex dumps.
As Joe observed in an earlier message, there are only two places in
t1_lib.c:ssl_parse_serverhello_tlsext() which set SSL_AD_DECODE_ERROR,
and it seems very likely that the following code is hit:
> if (!s->hit && tlsext_servername == 1)
> {
> if (s->tlsext_hostname)
> {
> if (s->session->tlsext_hostname == NULL)
> {
> s->session->tlsext_hostname =
> BUF_strdup(s->tlsext_hostname);
> if (!s->session->tlsext_hostname)
> {
> *al = SSL_AD_UNRECOGNIZED_NAME;
> return 0;
> }
> }
> else
> {
> *al = SSL_AD_DECODE_ERROR;
> return 0;
> }
> }
> }
I'll defer to the OpenSSL gurus for further analysis, but apparently
it has to do with the fact that the client reuses an SSL session
(s->session->tlsext_hostname is non-null), but this case is not
expected by ssl_parse_serverhello_tlsext(). It would also explain,
however, why the issue does not show up immediately, but only after
a couple of minutes (i.e., when a session is really being reused).
Kaspar
ClientHello: includes both an SNI and a SessionTicket extension
(i.e., client tries a stateless resume)
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 316
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 312
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Sep 1, 2009 18:24:07.000000000
random_bytes:
DC61CBA8386F040540B164CA43C99C0A25618A34DC84B0CF...
Session ID Length: 0
Cipher Suites Length: 40
Cipher Suites (20 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 231
Extension: server_name
Type: server_name (0x0000)
Length: 15
Data (15 bytes)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 208
Data (208 bytes)
0030 01 00 01 38 03 ...8.
0040 01 4a 9d 4a a7 dc 61 cb a8 38 6f 04 05 40 b1 64 .j.j..a..8...@.d
0050 ca 43 c9 9c 0a 25 61 8a 34 dc 84 b0 cf e2 f2 0c .C...%a.4.......
0060 ff 00 00 28 00 39 00 38 00 35 00 16 00 13 00 0a ...(.9.8.5......
0070 00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12 .3.2./..........
0080 00 09 00 14 00 11 00 08 00 06 00 03 01 00 00 e7 ................
0090 00 00 00 0f 00 0d 00 00 0a 6b 61 6d 65 73 68 2e .........kamesh.
00a0 63 6f 6d 00 23 00 d0 cf 41 ef 4a 9b 41 98 ca 3b com.#...A.J.A..;
00b0 11 01 5a 16 6d ed a0 86 56 79 24 5c a7 1e 3e ec ..Z.m...Vy$\..>.
00c0 47 27 d3 07 47 f7 17 04 3a 4e b3 64 bb de e5 ca G'..G...:N.d....
00d0 aa 48 1c 61 2c e4 80 df c0 f7 be 7e 81 b9 0c ad .H.a,......~....
00e0 03 8f f1 df 0b 89 80 d1 7a de 5c 21 af ff b0 94 ........z.\!....
00f0 67 83 b7 91 67 b8 b3 8b e7 af de 6e 53 37 05 89 g...g......nS7..
0100 e8 b8 a0 2f 39 ec 38 9f fa 35 7f 41 66 b1 57 fa .../9.8..5.Af.W.
0110 36 97 64 c9 39 22 9c f2 75 56 0d 4c b7 75 36 0f 6.d.9"..uV.L.u6.
0120 22 a2 5b 28 31 ff 26 26 5b 9f d9 ee 76 24 65 48 ".[(1.&&[...v$eH
0130 1d ad 13 8e d3 5d 8b f9 09 ea e8 a4 6c 8f c2 ae .....]......l...
0140 73 67 e0 c4 a3 fd 13 cc 37 a9 20 eb 35 ba 66 86 sg......7. .5.f.
0150 3e 0e 5e af d8 6c df ba 8c ef 69 1a c1 fd 07 e9 >.^..l....i.....
0160 7a 44 04 b9 0f 70 90 b6 fe ff dc 49 f6 49 44 4c zD...p.....I.IDL
0170 a1 03 e9 5b 12 f6 30 ...[..0
-----
ServerHello: includes an acknowledgement for the SNI extension
(with an empty "extension_data" field, as specified in RFC 4366).
TLSv1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 48
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 44
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Oct 23, 2009 18:26:28.000000000
random_bytes:
7BB7CEA14E031A61466D401D6633DD50D4B2513B845D2D0A...
Session ID Length: 0
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Compression Method: null (0)
Extensions Length: 4
Extension: server_name
Type: server_name (0x0000)
Length: 0
Data (0 bytes)
0030 02 00 00 2c 03 ...,.
0040 01 4a e1 d9 34 7b b7 ce a1 4e 03 1a 61 46 6d 40 .J..4{...N..aFm@
0050 1d 66 33 dd 50 d4 b2 51 3b 84 5d 2d 0a 1f cd bb .f3.P..Q;.]-....
0060 f1 00 00 39 00 00 04 00 00 00 00 ...9.......
hello-messages.pcap
Description: Binary data
